[00:00.000 --> 00:02.760]  I really, really appreciate and grateful for being here.
[00:02.760 --> 00:05.840]  So thank you a lot for DEF CON, for DEF CON Heritage Village,
[00:05.840 --> 00:08.360]  SentinelOne, and everyone that supported me along the way.
[00:08.400 --> 00:13.340]  We'll speak about it also soon. Let's start with the title.
[00:13.380 --> 00:15.580]  So, Hacking Smart Devices for Fun and Profit.
[00:15.580 --> 00:22.140]  This is a true and genuine story about me trying from exploiting my smart home
[00:22.140 --> 00:27.520]  into gaining control over thousands of smart devices in the entire world.
[00:27.520 --> 00:28.900]  So, let's start.
[00:28.900 --> 00:33.040]  So, first about me. My name is Barak Sternberg.
[00:33.040 --> 00:35.700]  I also live in DEF in Twitter, so make sure to follow.
[00:35.700 --> 00:40.140]  I'm a security researcher and also an author in SentinelOne Labs.
[00:40.360 --> 00:43.820]  I have a master's in computer science on algorithms.
[00:44.280 --> 00:49.980]  And one of the favorite things I love to mention is that I'm also a party lover and a DJ.
[00:49.980 --> 00:55.720]  So, you can make sure you follow my Mixcloud to see my set and stuff.
[00:55.720 --> 00:59.980]  But besides following our party, which is not so relevant in the corona period,
[01:00.400 --> 01:03.620]  I love to focus on vulnerability research.
[01:03.620 --> 01:07.300]  I love computer security. I'm an enthusiast about network security,
[01:07.300 --> 01:12.040]  IoT, embedded devices, Linux, web apps, and more and more.
[01:12.040 --> 01:14.920]  And also to analyzing malwares in the wild.
[01:14.920 --> 01:22.020]  I'm a CTF player and I love a good game of hacking any kind of devices.
[01:22.020 --> 01:25.080]  So, with this in mind, let's start.
[01:25.080 --> 01:31.180]  So, starting this project goes quite well, well, way back.
[01:31.180 --> 01:34.700]  And when I say way back, I mean really back, 2010.
[01:35.000 --> 01:36.580]  What happened in 2010?
[01:36.580 --> 01:40.320]  So, first, we are renovating our family home.
[01:40.320 --> 01:42.420]  We are fixing all this home.
[01:42.420 --> 01:47.720]  The second most important thing was the Walking Dead first season was just coming up.
[01:47.800 --> 01:53.140]  The first season, just to keep in mind, today it's the 10th season already, I think,
[01:53.140 --> 01:54.400]  of the Walking Dead.
[01:54.400 --> 01:55.320]  And it's kept counting.
[01:55.320 --> 01:56.260]  Amazing series.
[01:56.260 --> 01:57.140]  Much watched.
[01:57.140 --> 01:58.600]  Must watch one.
[01:59.240 --> 02:04.280]  And, well, we installed smart home devices, which were the Philips Dynalite.
[02:04.280 --> 02:08.960]  And the Philips Dynalite have software and apps, but they were really, really expensive.
[02:09.160 --> 02:12.260]  Back then, it was really high extras.
[02:12.260 --> 02:13.320]  And we didn't buy it.
[02:13.320 --> 02:18.700]  Just the technician came, installed the softwares and apps to itself,
[02:18.700 --> 02:22.420]  to configure all of our devices, all of our smart home systems.
[02:22.420 --> 02:27.660]  And from there on, we didn't have anything to control it.
[02:27.660 --> 02:32.840]  So, you can say it's a smart home device, but not quite, really.
[02:34.020 --> 02:37.220]  And so, we don't have any remote app control.
[02:37.280 --> 02:42.480]  And usually, in these scenarios, we can think about ourselves as, well,
[02:42.480 --> 02:47.420]  our own technicians that can do it by ourselves, right?
[02:47.420 --> 02:49.680]  So, why not do it ourselves?
[02:49.680 --> 02:53.280]  So, this scary diagram is not that scary.
[02:53.280 --> 02:58.120]  What you see here is actually the Philips Dynalite controllers
[02:58.120 --> 03:03.680]  that control my smart home devices in my parents' home.
[03:03.680 --> 03:06.300]  These actually have been the controllers themselves.
[03:06.300 --> 03:10.560]  So, as you can see here, this one is the full electricity diagram
[03:10.560 --> 03:14.150]  downloaded freely from the Philips site.
[03:14.580 --> 03:17.800]  And the interesting thing you can observe here is that, well,
[03:17.800 --> 03:19.580]  each controller controls something.
[03:19.580 --> 03:24.100]  Controller-specific maybe lights have specific capabilities and attributes.
[03:24.100 --> 03:29.320]  So, this electricity diagram have on this side the channels,
[03:29.320 --> 03:32.900]  which are directly connected usually to the relays,
[03:32.900 --> 03:37.260]  to the dimmers, to the buttons, to anything.
[03:37.260 --> 03:40.980]  For example, this channel, channel one,
[03:40.980 --> 03:44.560]  have powered out electricity to your lights,
[03:44.560 --> 03:47.440]  your light bulb, or maybe to a window,
[03:47.440 --> 03:50.720]  or maybe to a large light system, or anything else.
[03:50.720 --> 03:52.840]  So, this is on these sides, and this is the relay,
[03:52.840 --> 03:54.580]  the switch on and off stuff.
[03:54.640 --> 03:57.040]  And on the other side, they are connected, as you can see here,
[03:57.040 --> 03:59.780]  the microprocessor. This is the microprocessor.
[03:59.960 --> 04:02.580]  And this microprocessor is very cool
[04:02.580 --> 04:07.700]  because it's the thing that connects between the electricity circuits here
[04:07.700 --> 04:09.860]  and the serial, which is here.
[04:09.860 --> 04:12.320]  So, on its other end, there is a serial output,
[04:12.320 --> 04:17.580]  you can obviously understand it might be the controlling area.
[04:17.580 --> 04:20.920]  So, when I connect to these devices to configure them,
[04:20.920 --> 04:24.160]  I usually use this serial interface.
[04:24.160 --> 04:26.560]  And this uses something that's called Dynet protocol
[04:26.560 --> 04:30.900]  of the Dynalite Philips systems.
[04:30.900 --> 04:31.920]  And it's really cool.
[04:31.920 --> 04:38.820]  It's connected by RS-485, which is really, it's not that unique,
[04:38.820 --> 04:40.980]  in the sense that many industrial systems
[04:40.980 --> 04:43.300]  are actually using this kind of type of serials
[04:43.300 --> 04:48.460]  compared to the usual serial RS-2322.
[04:49.480 --> 04:52.860]  And also, what you can understand is that this serial
[04:52.860 --> 04:57.440]  is connected to this building block, which is, what is that?
[04:57.440 --> 05:01.160]  So, this is, I bought actually an IP serial adapter.
[05:01.820 --> 05:06.500]  And this is a cool serial adapter that is used to connect
[05:06.500 --> 05:10.040]  all up between the serial and the IP.
[05:10.680 --> 05:14.520]  And I am sitting here gently and trying to wait
[05:14.520 --> 05:16.360]  for something to happen, right?
[05:16.360 --> 05:19.760]  Sending commands maybe, seeing something, I don't know.
[05:19.920 --> 05:22.760]  So, what happened next is that I tried to send codes
[05:22.760 --> 05:24.040]  to these controllers.
[05:24.280 --> 05:27.220]  I'm sending codes to these controllers and nothing happened.
[05:27.220 --> 05:27.740]  Nothing.
[05:27.740 --> 05:31.120]  I use this wonderful GitHub repo, which is not complete.
[05:31.120 --> 05:35.640]  It has some several API documentations of Dynet-01,
[05:35.640 --> 05:37.860]  but it's not exactly the Dynet I needed.
[05:38.820 --> 05:40.420]  It's really weird.
[05:40.420 --> 05:44.420]  And also, the packets.
[05:44.420 --> 05:50.540]  So, I could have observed the type of the packets used
[05:50.540 --> 05:52.180]  to be sent to Dynet.
[05:52.180 --> 05:56.040]  The packets usually are in the structure of sync number,
[05:56.040 --> 05:59.800]  an area code, a command type, and some extra data
[05:59.800 --> 06:04.200]  to navigate between the different possibilities.
[06:04.200 --> 06:08.840]  For example, I want the light to be in 100%
[06:08.840 --> 06:14.240]  or 50% percentage of light.
[06:14.400 --> 06:18.980]  So, I can put this stuff in the extra data area,
[06:18.980 --> 06:20.120]  which is right here.
[06:20.120 --> 06:24.100]  So, this is a packet used to be sent over a serial connection,
[06:24.100 --> 06:26.840]  as I've seen before, as we have seen before.
[06:27.040 --> 06:28.360]  And this is really cool.
[06:28.360 --> 06:31.500]  So, I start sending packets, nothing happens.
[06:31.500 --> 06:35.020]  And I remember me and my father sitting in the saloon,
[06:35.020 --> 06:38.480]  and like, why not send in all the packets?
[06:38.480 --> 06:40.960]  And when I mean all the packets, let's just send,
[06:40.960 --> 06:42.380]  let's just fuzz the system, right?
[06:42.380 --> 06:43.860]  What could happen, right?
[06:43.860 --> 06:46.040]  Sending all opcodes to the controllers could be
[06:46.040 --> 06:47.620]  an amazing thing to do, no?
[06:47.880 --> 06:49.060]  Really, all.
[06:49.060 --> 06:52.920]  Like, in four, I exchange 256.
[06:54.480 --> 07:00.360]  And it wasn't a surprise that, yeah,
[07:00.360 --> 07:03.220]  maybe you laugh right now, but it's actually a real thing.
[07:03.220 --> 07:06.940]  It's a house that people live in that went crazy.
[07:06.980 --> 07:08.660]  So, we send all of these commands,
[07:08.660 --> 07:10.980]  and all of a sudden, I remember myself sitting in the kitchen,
[07:10.980 --> 07:13.840]  and all the lights are flipping crazy,
[07:13.840 --> 07:16.600]  windows turning on and off at the same time,
[07:16.600 --> 07:18.420]  and we don't know what is happening.
[07:18.480 --> 07:21.600]  And, well, try to remember which command you're sending,
[07:21.600 --> 07:24.740]  this fuzzing loop that tried to fuzz all these commands.
[07:24.740 --> 07:30.780]  So, I did try to fix it to my responsibility, of course.
[07:30.780 --> 07:33.020]  And I tried to fix it.
[07:33.020 --> 07:35.020]  And I tried to reverse these commands.
[07:35.020 --> 07:36.220]  And some of them have been fixed.
[07:36.220 --> 07:37.940]  But remember, these commands,
[07:37.940 --> 07:41.080]  not just for turning on and off the lights,
[07:41.080 --> 07:44.220]  it also controls the configuration,
[07:44.220 --> 07:46.020]  the main configuration of the lights,
[07:46.020 --> 07:48.900]  and the buttons, and everything you can think about.
[07:48.900 --> 07:50.460]  So, this is insane.
[07:50.460 --> 07:53.780]  And, well, I tried to fix it.
[07:54.980 --> 07:59.420]  And, yeah, and all of a sudden, 6 a.m.,
[07:59.420 --> 08:03.700]  I got this message from my mom sending me that,
[08:03.700 --> 08:06.280]  well, I hope you guys have fun the other day,
[08:06.280 --> 08:07.880]  because I woke up 6 a.m.
[08:07.880 --> 08:11.220]  because all the lights were turning on at the same time.
[08:11.300 --> 08:17.280]  At this point, we've come to a small conclusion that,
[08:17.280 --> 08:19.600]  well, the first one is that Barak is not touching, again,
[08:19.600 --> 08:20.920]  the smartphone devices.
[08:20.920 --> 08:22.380]  We'll see about that later.
[08:22.380 --> 08:25.760]  But the second one is that, well,
[08:25.760 --> 08:27.600]  we need to install new smartphone devices,
[08:27.600 --> 08:28.900]  because until we do that,
[08:28.900 --> 08:31.740]  we don't actually have lights, and powers,
[08:31.740 --> 08:33.400]  and electricity for some things.
[08:33.480 --> 08:36.400]  So, yeah, okay, new smartphone devices.
[08:36.400 --> 08:37.980]  And I was excited, because for me,
[08:37.980 --> 08:39.020]  it's another research to do.
[08:39.020 --> 08:39.980]  They didn't know that yet,
[08:39.980 --> 08:42.860]  but for me, it's a whole nother research.
[08:43.040 --> 08:44.440]  Okay, so let's continue.
[08:46.340 --> 08:50.160]  So, the new smartphone devices is the HDL automation devices.
[08:50.400 --> 08:52.280]  And by HDL automation devices,
[08:52.280 --> 08:56.920]  I actually mean a company which is called HDL Automation.
[08:56.980 --> 09:00.360]  And this company is a big company, an amazing one, actually.
[09:00.620 --> 09:02.460]  I must say to them, thank you,
[09:02.460 --> 09:05.700]  because they helped me a lot through the disclosure,
[09:05.700 --> 09:07.020]  and working with them,
[09:07.020 --> 09:12.060]  and they really consider the security highly in this manner and respect.
[09:12.160 --> 09:15.340]  And also, they have more than 10,000 projects around the globe,
[09:15.340 --> 09:17.840]  museums, buildings, hotels,
[09:17.840 --> 09:22.860]  and headquarters of some high priority companies,
[09:22.860 --> 09:25.560]  and stuff like that, using their systems.
[09:25.600 --> 09:28.420]  So, even airports, if I didn't say that.
[09:28.420 --> 09:31.960]  So, it's really, really interesting to investigate these controllers, right?
[09:31.960 --> 09:35.180]  And they have smart controllers for lights, windows, cameras,
[09:35.340 --> 09:39.720]  a sensor, anything, anything you even didn't think about it.
[09:39.800 --> 09:40.760]  Cool.
[09:41.360 --> 09:43.660]  So, we learned about the HDL automation,
[09:43.660 --> 09:51.560]  and we've installed in our family home the HDL smart home devices.
[09:51.560 --> 09:54.420]  Let's now see how the HDL smart home works.
[09:54.620 --> 09:55.380]  Sorry.
[09:55.380 --> 10:00.020]  So, the HDL smart home system have three basic components.
[10:00.040 --> 10:03.640]  The first component is the HDL demo relay modules.
[10:03.640 --> 10:07.560]  This is the modules which you can observe just right here.
[10:07.560 --> 10:12.400]  These modules have on the one direction outside the serial,
[10:12.400 --> 10:16.880]  exactly kind of the same serial you've seen in the Philips Dynalite systems,
[10:16.880 --> 10:23.500]  with RS-485 connections, which they call BusPro, of course,
[10:23.500 --> 10:28.900]  because, for example, this BusPro is the complete analogy of the Dynet.
[10:28.900 --> 10:36.740]  So, this is like the protocols upside on the upper side of the serial connection.
[10:36.760 --> 10:39.320]  Cool. And this is connected to the IP gateway.
[10:39.320 --> 10:44.580]  And the IP gateway is actually kind of the same as I built an IP gateway
[10:44.580 --> 10:48.240]  to adapt between the serial and the IP connection,
[10:48.240 --> 10:51.000]  from the serial to the internet, to the entire world.
[10:51.000 --> 10:53.560]  So, they have their own smart devices.
[10:53.560 --> 10:56.240]  They have their own unique IP adapter as well.
[10:56.240 --> 10:59.260]  Also, Philips have it, but it was really, really expensive.
[10:59.260 --> 11:02.380]  This is why I didn't bought it also in the second time.
[11:02.380 --> 11:07.280]  But in our scenario, my parents thought, okay, it's a good idea.
[11:07.280 --> 11:08.920]  Let's buy all the things.
[11:08.920 --> 11:15.620]  And Barack doesn't even have an idea to start and jiggering with this kind of things.
[11:15.620 --> 11:17.140]  Oh, boy, they were wrong.
[11:17.140 --> 11:21.000]  And this IP gateway is serial to IP.
[11:21.000 --> 11:24.920]  And the third bullet was the HDL cloud servers.
[11:24.920 --> 11:30.020]  The HDL cloud servers are actually used mainly for remote connections,
[11:30.020 --> 11:32.000]  but not just remote connections.
[11:32.000 --> 11:35.160]  They're used to store the configuration for the smart home devices.
[11:35.160 --> 11:39.140]  They're used to connect remotely to things because you have routers, you have firewall.
[11:39.140 --> 11:43.920]  So, this IP gateway is connected to this HDL cloud servers.
[11:43.920 --> 11:47.940]  And then when you are online on the internet, you can connect to their HDL cloud servers
[11:47.940 --> 11:54.220]  with public IP interface so you can reach your devices as well.
[11:54.460 --> 12:01.220]  And now a little bit deeper about how they install it.
[12:01.220 --> 12:04.760]  So, first time installation is quite easy and it works like this.
[12:04.760 --> 12:07.960]  You install the HDL bus for software as a technician.
[12:07.960 --> 12:10.900]  So, for example, I'm a technician. I'm coming to your home.
[12:11.100 --> 12:15.480]  I'm installing the HDL bus for software on my desktop machine.
[12:15.520 --> 12:21.840]  And I connect directly with my PC, my technician PC, to this IP gateway.
[12:22.080 --> 12:23.260]  It's very cool.
[12:23.260 --> 12:26.120]  And when I'm connected to this IP gateway with my HDL bus,
[12:26.120 --> 12:28.880]  I'm starting to configure all these devices.
[12:28.880 --> 12:33.140]  Because remember, these devices are connected serially to this IP gateway.
[12:33.140 --> 12:36.820]  So, I connect to this IP gateway and configure all these ones.
[12:38.660 --> 12:43.140]  And that's what I said. I configure the bus for adapter and I have a configuration.
[12:43.140 --> 12:48.600]  Now that I have a configuration, I can use this data, this configuration data,
[12:48.600 --> 12:56.080]  to upload it, for example, to the cloud and save it also on my Android app in other apps as well.
[12:56.080 --> 13:00.140]  So, what I do next is register a new account in the HDL on application.
[13:00.140 --> 13:02.780]  This is an Android application of HDL automation.
[13:02.780 --> 13:08.620]  It's used to control remotely and also locally within the Wi-Fi, these smart home devices.
[13:09.060 --> 13:12.220]  And when, as a technician, I register this new account,
[13:12.220 --> 13:15.440]  I also upload the local configuration to the app itself.
[13:15.440 --> 13:17.740]  So now, remember, I have a phone in my hand.
[13:17.740 --> 13:20.540]  I register the new account in this application.
[13:20.540 --> 13:25.160]  And I upload the configuration from this IP gateway or from my laptop,
[13:26.060 --> 13:29.340]  from the BusPro desktop software to this phone.
[13:29.340 --> 13:31.020]  I upload the configuration to my phone.
[13:31.020 --> 13:36.580]  Now the configuration to control everything in my smart home devices is inside my phone.
[13:36.700 --> 13:39.600]  So, for my phone, I can also connect to the internet.
[13:39.600 --> 13:43.040]  And this is exactly how I backup my configuration in the cloud.
[13:43.040 --> 13:47.520]  So, after I have the configuration in my phone, I upload it also to the cloud.
[13:47.520 --> 13:49.560]  And now it's also kept here.
[13:50.060 --> 13:50.580]  Cool.
[13:50.580 --> 13:55.320]  So, what happens when a new user comes in and joins to our game
[13:55.320 --> 14:00.240]  and wants also to enter these devices and control them?
[14:00.240 --> 14:05.820]  So, what happens next is that the first time you download the HGLON app.
[14:05.820 --> 14:06.400]  Why does that?
[14:06.400 --> 14:10.140]  Because you need to log into the HGL account that has been opened to him
[14:10.140 --> 14:14.900]  directly in order to control all these dimmers and other devices.
[14:15.000 --> 14:18.560]  So, we download this HGLON app and you log into the HGL account
[14:18.560 --> 14:21.100]  that has been opened by the technician.
[14:21.540 --> 14:25.420]  And what he does next, you can actually bet on that, that...
[14:27.260 --> 14:31.380]  Well, yes, he download the configuration from the cloud.
[14:31.480 --> 14:35.440]  And when he download the configuration from the cloud,
[14:35.440 --> 14:40.960]  he have all the configuration to fully control these devices over here
[14:40.960 --> 14:44.280]  within the Wi-Fi or from remote.
[14:44.280 --> 14:49.240]  So, I'm a bit cheating here because there are two possibilities to operate these devices.
[14:49.240 --> 14:55.400]  And we'll talk about it in the next slide, which is the remote and the local mode.
[14:55.400 --> 15:01.580]  So, we can operate this HGL system in a remote and local connection.
[15:01.580 --> 15:06.500]  And the difference between them is that the local connection is accessible from Wi-Fi.
[15:06.560 --> 15:10.040]  Usually only from Wi-Fi and local networks.
[15:10.220 --> 15:16.300]  And the remote is accessible from the wide internet and from anywhere inside the world.
[15:16.300 --> 15:21.640]  And usually, it makes a real sense that we want to make a remote control connection about it.
[15:21.640 --> 15:25.700]  Well, we want to be able to...
[15:25.700 --> 15:31.220]  For example, I have an air conditioner and I want to control this air conditioner before I get on
[15:31.220 --> 15:34.280]  because it's really, really hot today and it's a summer.
[15:34.400 --> 15:38.300]  So, I would love it to be operated before I get back home, right?
[15:38.400 --> 15:40.000]  And this is really a cool thing.
[15:40.000 --> 15:44.820]  And at first time installation, the technician actually choose whether
[15:44.820 --> 15:48.960]  to enable and allow remote connections or not.
[15:48.960 --> 15:54.700]  And usually, many times, because of the reasons I mentioned, the remote connection is enabled.
[15:55.060 --> 15:56.820]  And this is really interesting.
[15:56.820 --> 16:05.400]  Remember that in any scenario, we are using the HGL cloud service.
[16:05.400 --> 16:08.680]  Because in the first scenario of the Wi-Fi local connection,
[16:08.680 --> 16:12.320]  we still backup our configuration for new users to come.
[16:12.320 --> 16:17.460]  And on the remote connection mode, of course, we use this cloud service to connect back to us.
[16:17.460 --> 16:21.560]  So, the third point, the third bullet is always used.
[16:21.560 --> 16:24.620]  The HGL cloud servers are amazing, super interesting.
[16:25.800 --> 16:27.540]  Yeah, Internet of Things.
[16:27.540 --> 16:32.140]  Now, let's add Wi-Fi to all the things and let's see what happens.
[16:33.040 --> 16:33.840]  Cool.
[16:33.840 --> 16:35.660]  So, the focus of my research.
[16:36.080 --> 16:38.280]  Yes, we can research one and two.
[16:38.660 --> 16:44.020]  But first, my family will kill me again if I will destroy all their smartphone devices
[16:44.820 --> 16:47.440]  using the connection to the one and two bullets.
[16:47.460 --> 16:51.440]  And the second reason and the most relevant one, because I love your family,
[16:51.440 --> 16:55.720]  but it's not that exciting and relevant.
[16:55.720 --> 16:58.680]  The most relevancy is the hardware.
[16:58.680 --> 17:02.040]  The hardware and the software can be really device dependent.
[17:02.040 --> 17:06.940]  And it will take a lot of time to investigate and research any specific device.
[17:06.940 --> 17:11.860]  Because each device has its own capabilities, own serial connection, own things.
[17:11.960 --> 17:16.300]  And to reach the point you can really research and find vulnerabilities,
[17:16.300 --> 17:20.000]  takes much more time and much more time from other things,
[17:20.000 --> 17:24.980]  which are publicly known as cloud servers or websites.
[17:25.040 --> 17:28.240]  So, of course, I thought that the Azure cloud server,
[17:28.240 --> 17:32.440]  which are a critical bottleneck in these connections,
[17:32.440 --> 17:35.840]  are really, really an interesting and a great idea to investigate.
[17:35.840 --> 17:41.440]  And also, when you think about a seesaw, a seesaw view or a view of some people that
[17:41.440 --> 17:47.740]  works for the network security and the integrity of the network,
[17:47.740 --> 17:53.400]  you might think that what you need to defend might be, not always,
[17:53.400 --> 17:58.900]  is from the outside, from arbitrary outside, and from the inside, from specific devices.
[17:58.900 --> 18:05.100]  But in this scenario, this cloud server might be okay, might be whitelisted, fully whitelisted,
[18:05.100 --> 18:10.400]  because this cloud server is just connecting to these devices,
[18:10.400 --> 18:15.580]  just connected to your devices, to your certified devices you put in your systems.
[18:15.640 --> 18:20.780]  But you need to understand, even as someone that works for security,
[18:20.780 --> 18:24.740]  that the bottleneck can be also outside your organization.
[18:24.740 --> 18:29.720]  And also, in the third bullet, in servers that you don't even have the code for them,
[18:29.720 --> 18:32.280]  and you don't even know what they're actually kind of doing.
[18:32.280 --> 18:35.620]  So this is really interesting in the point of focus as well.
[18:35.620 --> 18:39.620]  But we speak about focus a lot. Let's now speak about the cloud server.
[18:39.620 --> 18:44.020]  So a starting point for this is the HGLON app, how it works, the HGLON app.
[18:44.020 --> 18:46.740]  So first is the login screen, yeah, nice login screen.
[18:46.740 --> 18:51.440]  You can see a simple login here, and a sign-up button also,
[18:51.440 --> 18:54.880]  and the forgot password mechanism, which is really cool.
[18:55.440 --> 19:00.140]  And also interesting, forgot password actually is working the same as you think.
[19:00.140 --> 19:07.260]  It sends you a reset link to your email, and you can click on this link,
[19:07.260 --> 19:09.260]  and immediately go to this link.
[19:09.260 --> 19:15.840]  But the URL in the forgot password was really, really interesting.
[19:15.940 --> 19:17.490]  And we'll speak about it later.
[19:18.100 --> 19:22.180]  Sign-up. Sign-up includes... you can enter either phone or an email,
[19:22.180 --> 19:27.280]  and you can also add the password. Well, you should add the password.
[19:29.440 --> 19:33.520]  And then you have all your things enabled.
[19:33.720 --> 19:38.570]  And after that, you can upload from the app the configuration you have.
[19:38.570 --> 19:41.250]  Remember this IP gateway, where I configure all this stuff,
[19:41.250 --> 19:45.470]  so I can upload the configuration from this IP adapter to my phone.
[19:45.730 --> 19:49.150]  And from there on, I can upload this to the cloud.
[19:49.150 --> 19:53.110]  And I can also download cloud configurations using this app
[19:53.110 --> 19:56.830]  to configure my system, my application,
[19:56.830 --> 20:00.210]  to control these devices in my Wi-Fi network and stuff.
[20:00.530 --> 20:02.390]  So this is the sign-up.
[20:02.810 --> 20:06.290]  Well, enough chitchat. Let's talk about vulnerabilities.
[20:06.290 --> 20:09.070]  So the first vulnerability, really cool.
[20:09.070 --> 20:12.360]  Account takeover number one, or let's forget our password together.
[20:12.730 --> 20:15.270]  So let's forget our password.
[20:15.270 --> 20:19.030]  I click on the forgot password, and I got this following link.
[20:19.210 --> 20:26.590]  Well, this seems like a nice, naive link that doesn't going to affect anyone, right?
[20:26.750 --> 20:32.290]  Well, the main thing you can see here and observe, I'll make sure you understand that.
[20:32.290 --> 20:36.630]  Well, there are a couple of parameters, really, really interesting.
[20:36.630 --> 20:38.570]  The first one is the time.
[20:38.670 --> 20:41.950]  Time seems like just the time in some format.
[20:41.950 --> 20:44.750]  An email, which is actually my email.
[20:44.750 --> 20:48.210]  The email that I want to reset the password now for.
[20:48.450 --> 20:51.950]  And this parameter and these kind of parameters as well.
[20:52.150 --> 20:54.470]  And this is really, really interesting,
[20:54.470 --> 21:02.270]  because you can think that maybe something random should be placed there, right?
[21:02.270 --> 21:05.710]  Something random that I couldn't fake this kind of link.
[21:06.690 --> 21:11.230]  You could also think that if I change this email to any arbitrary email,
[21:11.230 --> 21:13.110]  it won't work, right?
[21:13.110 --> 21:15.790]  It will be verified in some manner,
[21:15.790 --> 21:19.970]  and they won't let me change the password for any arbitrary user.
[21:19.970 --> 21:20.850]  Come on.
[21:20.850 --> 21:22.450]  Well, they did.
[21:22.450 --> 21:30.930]  They actually did let me change any user password by its email to any user.
[21:30.930 --> 21:32.630]  The way to exploit it,
[21:32.630 --> 21:35.590]  for example, if I'm thinking hacker-wise,
[21:35.590 --> 21:39.230]  is to do forget password to my email account,
[21:39.230 --> 21:41.670]  get this link, okay,
[21:41.670 --> 21:45.950]  and change only the email, the email area, to the victim emails.
[21:46.450 --> 21:51.450]  And from there on, I get fully authorization to change its password.
[21:51.450 --> 21:54.050]  This link needs to change the password of this user.
[21:54.050 --> 21:55.310]  I can fully change his password.
[21:55.310 --> 21:56.170]  Really cool.
[21:56.330 --> 21:57.070]  And it works.
[21:57.070 --> 21:57.810]  Perfect.
[21:58.930 --> 22:01.430]  So, let's do it again.
[22:01.430 --> 22:03.270]  So, account takeover number two.
[22:03.270 --> 22:07.050]  Or maybe let's forget our password again.
[22:07.330 --> 22:10.410]  And how can we do it?
[22:10.410 --> 22:14.730]  So, let's forget now about the users I already showed you,
[22:14.730 --> 22:18.770]  about the users and the forgetting the passwords again.
[22:18.770 --> 22:23.210]  And now let's focus about other thing that's called the technician user.
[22:23.230 --> 22:26.550]  The technician user is the user that is automatically generated
[22:26.550 --> 22:29.610]  when the user register with its email.
[22:29.610 --> 22:32.490]  So, when the user first time register with an email,
[22:32.490 --> 22:35.150]  for example, a technician, install the system,
[22:35.150 --> 22:37.430]  and register your HDL account,
[22:37.430 --> 22:43.030]  what he's doing is actually also opens up automatically a technician user
[22:43.030 --> 22:47.010]  with the same password as the username, as the original user.
[22:47.010 --> 22:50.730]  For example, I open register with this email at mymail.com.
[22:50.730 --> 22:56.070]  It is automatically also open a technician user at email-debug at mymail.com.
[22:56.870 --> 22:59.150]  And this is really interesting now,
[22:59.150 --> 23:02.810]  because the technician user is able to change settings
[23:02.810 --> 23:07.910]  and control all system configuration of the smart home devices as well.
[23:07.910 --> 23:11.830]  And this can be really bad, right, if we can hack this technician user.
[23:11.830 --> 23:13.930]  We can also change the cloud configuration.
[23:13.930 --> 23:16.190]  We can also do many, many more things.
[23:17.210 --> 23:24.250]  In these times, I usually ask the crowd if they know how to hack this system.
[23:24.250 --> 23:28.810]  I guess some of you actually understand where I'm going to,
[23:28.810 --> 23:31.090]  and it's actually really working.
[23:31.090 --> 23:34.970]  So to exploit and to take over any technician user,
[23:34.970 --> 23:37.370]  what we need to do is to find the victim email,
[23:37.370 --> 23:39.570]  let's say victim at mymail.com,
[23:39.570 --> 23:46.570]  and open a new email at this mymail.com service at victim-debug at mymail.com.
[23:46.570 --> 23:50.450]  So I open this new email account, and I have it.
[23:50.450 --> 23:54.230]  And yes, what I will do next is just forget my password.
[23:54.230 --> 23:59.630]  I click on forget password for this victim-debug at mymail.com.
[23:59.630 --> 24:01.910]  And when I do reset password to this account,
[24:01.910 --> 24:08.750]  I will be sending... they will send to me their email of link reset,
[24:08.750 --> 24:10.350]  the reset of the password.
[24:10.350 --> 24:17.390]  So I actually can change the victim-debug at mymail.com password.
[24:17.390 --> 24:22.050]  So I actually can get access to all the technician features.
[24:22.050 --> 24:24.330]  I can access the technician user.
[24:24.710 --> 24:27.510]  Just to conclude, and to make sure everyone is with me,
[24:27.510 --> 24:33.110]  what I'm doing is I'm opening another account for the technician email
[24:33.110 --> 24:35.710]  at victim-debug at mymail.com.
[24:35.710 --> 24:39.750]  And I call the reset password for this email.
[24:40.150 --> 24:43.210]  And this is really cool, and it's working.
[24:43.210 --> 24:54.550]  And the reason it's working is because they don't verify this email is not a valid email,
[24:54.550 --> 25:00.970]  and they shouldn't send a forget password to this technician users at all,
[25:00.970 --> 25:05.170]  or even find another way to put users for the technician,
[25:05.170 --> 25:07.970]  which is not relevant with this dash-debug.
[25:08.610 --> 25:15.430]  Yes, it's really worked, and it made me to take over any account of, well, technician accounts.
[25:16.410 --> 25:17.230]  Very cool.
[25:17.230 --> 25:19.570]  It's working for some providers, not all of them.
[25:20.130 --> 25:24.250]  I feel in the sense that some of them replacing dash with another,
[25:24.250 --> 25:29.110]  so it can probably be bypassed even in mails that doesn't allow dash in their username,
[25:29.110 --> 25:30.970]  but I need to think about it even more.
[25:31.510 --> 25:32.070]  Cool.
[25:32.070 --> 25:34.990]  So now we spoke about the pre-authentication vulnerabilities.
[25:35.050 --> 25:37.610]  Let's see what is happening post-authentication.
[25:37.610 --> 25:44.190]  So let's get our devices and start investigating some several API endpoints.
[25:44.190 --> 25:48.410]  And I actually encountered many API endpoints which are open,
[25:48.410 --> 25:52.270]  and some of them were the device by region list.
[25:52.270 --> 25:55.710]  And the device by region list is a very interesting API endpoint.
[25:56.150 --> 25:58.250]  It comes right after the login.
[25:58.250 --> 26:00.310]  You log in, and you have a device list,
[26:00.310 --> 26:06.210]  and you can actually search this device list by the region name,
[26:06.210 --> 26:09.810]  the region ID, by device ID, by anything you want.
[26:09.810 --> 26:11.250]  So it's really cool.
[26:11.710 --> 26:14.330]  And how you do it, you go to the device section,
[26:14.330 --> 26:19.630]  and the parameters to control is the region ID, device ID, device name.
[26:19.630 --> 26:23.650]  So all of these guys are fully controllable and very, very interesting.
[26:25.650 --> 26:29.990]  So the first try I did was sending this.
[26:29.990 --> 26:35.370]  This was in the post data body of the message I've been sending.
[26:35.370 --> 26:42.790]  And this data was containing the parameters need to be searched for.
[26:42.790 --> 26:46.630]  And as you can observe quite well, there is the SQL injection I tried to put.
[26:47.090 --> 26:51.970]  And, well, yes, it did return to me all the devices in the system.
[26:51.970 --> 26:58.650]  But remember, to find out if there is an SQL injection in the site or not,
[26:58.650 --> 27:03.810]  it's not enough just to test for this kind of screen and to see that I get all the data.
[27:03.810 --> 27:05.770]  I need to do a little bit more than that.
[27:05.770 --> 27:11.790]  And to see that it actually does an SQL statement I fully control of, black box wise.
[27:12.090 --> 27:12.890]  Cool.
[27:12.890 --> 27:16.710]  And so the second try was something like this.
[27:16.850 --> 27:18.970]  And it actually worked again.
[27:18.970 --> 27:20.890]  And I got all the devices.
[27:20.890 --> 27:21.830]  So it's not...
[27:21.830 --> 27:26.130]  And also I tried to make an invalid SQL statement.
[27:26.130 --> 27:30.830]  And what I got is that I get a response, an error response,
[27:30.830 --> 27:33.350]  specifically on invalid SQL statements.
[27:33.350 --> 27:35.070]  So, yes, I have an SQL injection.
[27:35.070 --> 27:36.210]  Very, very cool.
[27:36.210 --> 27:37.290]  I get in all the data.
[27:37.290 --> 27:39.450]  All the data not in the DB.
[27:39.450 --> 27:41.950]  All the data I have on my devices.
[27:41.950 --> 27:48.650]  So there is some way to gain control and to get all the data of the HDL database.
[27:49.130 --> 27:51.710]  So why not extract more data, right?
[27:52.070 --> 27:54.250]  Well, problems.
[27:54.250 --> 28:01.610]  Some of the problems is that the return columns and specifically the ASP parser.
[28:01.610 --> 28:06.110]  So the server, as far as I tell you, it's the HDL cloud servers.
[28:06.230 --> 28:08.970]  They have ASP server inside of them.
[28:08.970 --> 28:09.930]  Windows server.
[28:10.030 --> 28:14.230]  And this ASP parser checks the validity of the return columns.
[28:14.330 --> 28:19.810]  So, for example, if I do a union SQL injection, I need to verify and validate that all my data
[28:19.810 --> 28:23.290]  return is correctly to the manner of the ASP parser.
[28:23.290 --> 28:26.210]  And if it's not, I wouldn't be able to pass and get my data.
[28:26.210 --> 28:27.350]  I just get in an error.
[28:27.350 --> 28:28.350]  Error response.
[28:28.350 --> 28:29.470]  Nothing happens.
[28:29.470 --> 28:34.990]  And, well, yes, you might think to yourself, well, let's do blind SQL injection, right?
[28:34.990 --> 28:39.130]  Let's do, like, SQL timed SQL injection, something like that.
[28:39.130 --> 28:40.910]  But it's not that easy.
[28:40.910 --> 28:46.250]  Because I am bounded in this scenario by not sending so much data.
[28:46.250 --> 28:52.210]  Well, first thing is that I didn't want to alert the system.
[28:52.210 --> 28:54.090]  I didn't want to bomb the system.
[28:54.110 --> 28:59.150]  I didn't want to stress the system or to do anything like that, in a sense.
[28:59.470 --> 29:07.170]  And, well, and the second thing is that even if I do I will do it, it can take a lot of
[29:07.170 --> 29:07.490]  time.
[29:07.490 --> 29:15.370]  Because I have more than 11 columns returning from the SQL injection, from this SQL query,
[29:15.370 --> 29:18.350]  not the injection, from the SQL query, more than 11 columns.
[29:18.350 --> 29:25.830]  Which means almost 4 million queries were required to inspect all the relevant types
[29:25.830 --> 29:26.550]  and values.
[29:26.550 --> 29:31.670]  Remember, the ASP parser also checks for the validity even of the ranges of some of the
[29:31.670 --> 29:33.370]  values returned.
[29:34.570 --> 29:35.390]  Yes.
[29:35.450 --> 29:40.490]  And also it's worth mentioning that, well, I didn't use VPN.
[29:40.930 --> 29:46.670]  And it's a really good reason not to, like, jiggle with the site and try to brute force,
[29:46.670 --> 29:48.350]  like, arbitrary sites.
[29:48.690 --> 29:51.270]  So, yeah, not a good idea.
[29:51.270 --> 29:52.710]  Don't try it at all.
[29:52.790 --> 29:55.790]  And so this is the blind SQL injection idea.
[29:55.790 --> 30:00.150]  As I told you, even timed or parser error, yes or no, will take a lot of time.
[30:00.670 --> 30:01.710]  Cool.
[30:01.850 --> 30:06.850]  But let's forget about this SQL injection.
[30:06.850 --> 30:09.870]  Let's think about another way to bypass the ASP parser.
[30:10.070 --> 30:16.830]  You all must agree with me that if I find another SQL injection that returns much, much
[30:16.830 --> 30:23.210]  less columns, I could go over all the possibilities with this union SQL injection or something
[30:23.210 --> 30:30.110]  and finding out the relevant order to make it work and to return all the data and bypass
[30:30.110 --> 30:31.210]  the ASP parser.
[30:31.210 --> 30:34.010]  So this is exactly what I was going for.
[30:34.010 --> 30:38.710]  So to bypass the ASP parser, I was going to the... you remember the device name.
[30:38.710 --> 30:41.910]  This is the original parameter for the SQL injection.
[30:41.910 --> 30:48.070]  I tried to find this device name, the exact name, the exact argument in another API endpoint.
[30:48.890 --> 30:50.450]  And I actually did find it.
[30:50.450 --> 30:52.390]  I find it in the get room binding device.
[30:52.390 --> 30:54.210]  There is the device name parameter.
[30:54.210 --> 30:56.350]  There is an SQL injection there.
[30:56.350 --> 31:01.190]  You go to the room section, you search by the device binding name, and voila, you have
[31:01.190 --> 31:02.470]  an SQL injection.
[31:02.490 --> 31:03.330]  Very cool.
[31:03.330 --> 31:05.130]  SQL injection in the same argument.
[31:05.230 --> 31:13.490]  And the most amazing thing here is that only four columns are being returned.
[31:13.490 --> 31:14.650]  Only four columns.
[31:14.650 --> 31:15.590]  That's all.
[31:15.590 --> 31:17.190]  And it's really amazing.
[31:17.190 --> 31:25.710]  We can do the permutation over all these options with the possibility to do all of it really,
[31:25.710 --> 31:29.110]  really in short amount of queries.
[31:31.410 --> 31:37.090]  So permutating over columns order and trying the correct way to make it was doing like
[31:37.090 --> 31:37.590]  this.
[31:37.590 --> 31:43.770]  So here you can see the union SQL injection, and here you can see and observe the parameters
[31:43.770 --> 31:44.950]  I've been put.
[31:44.950 --> 31:50.250]  And I just scrambled and permuted this one any time and tried to see if it works.
[31:50.250 --> 31:53.490]  And I also increased the number of columns because I didn't really know the number of
[31:53.490 --> 31:54.170]  columns.
[31:54.170 --> 31:57.090]  But I knew it was around four.
[31:57.290 --> 31:58.790]  I say only four.
[31:58.790 --> 31:59.190]  I'm sorry.
[31:59.190 --> 32:04.150]  It's like it was really around four because I seen that the number of columns was four
[32:04.150 --> 32:10.470]  in the data, but it could be maybe one more for the ID or the key saved in the SQL.
[32:10.470 --> 32:12.450]  But it was eventually four.
[32:12.450 --> 32:14.310]  So it doesn't really interesting.
[32:14.310 --> 32:16.090]  And I found that this is working.
[32:16.130 --> 32:22.330]  And to conclude all of this, it was quite amazing to see that I'm getting all the database
[32:22.330 --> 32:28.070]  with one single query, one single SQL injection to rule them all, bypassing the ASP parser
[32:28.070 --> 32:34.850]  and getting all the database, all the things as well.
[32:34.850 --> 32:35.810]  Cool.
[32:35.810 --> 32:41.270]  So at this point, of course, I reached the HGL automation company.
[32:41.850 --> 32:47.410]  I did fully coordinated disclosure with them, worked with them silently and helped them
[32:47.550 --> 32:48.050]  a lot.
[32:48.050 --> 32:49.790]  And they also helped me.
[32:50.590 --> 32:54.030]  They were really enthusiastic about helping and securing the system.
[32:54.030 --> 32:55.750]  So it was great for them.
[32:56.630 --> 33:01.570]  But let's now speak about how we can hack into any arbitrary HGL user.
[33:01.570 --> 33:05.390]  For example, you have your own, I don't know,
[33:05.390 --> 33:08.890]  HGL account in your smart home in Dubai.
[33:08.890 --> 33:13.070]  Or you have your own smart home in some airport.
[33:13.070 --> 33:16.150]  Because there are airports and museums in HGL.
[33:16.150 --> 33:23.240]  So you can actually find a scenario of how you can fully control any HGL account.
[33:23.730 --> 33:28.260]  What we found, the vulnerabilities we have is two SQL injections and two account takeovers.
[33:28.930 --> 33:33.470]  And there are two scenarios to gain full takeover over any user.
[33:33.470 --> 33:39.350]  The first scenario, you know the attackers, you know the victim's email.
[33:39.350 --> 33:41.310]  You know the victim's email.
[33:41.310 --> 33:47.230]  And you just get from the database the hashed, salted password.
[33:47.230 --> 33:49.430]  And you now brute force this password.
[33:49.430 --> 33:55.110]  And when you brute force this password, you can get after some time the password, of course.
[33:55.250 --> 33:59.610]  And the second option is to do one of the takeovers I've mentioned.
[33:59.610 --> 34:02.890]  Actually, the second one, the technician one, is much more silently.
[34:02.890 --> 34:09.510]  When you do account takeover over the technician account,
[34:09.510 --> 34:12.590]  usually the normal accounts use the normal people,
[34:12.590 --> 34:17.730]  the older people that use normal people in the sense of using the system.
[34:17.730 --> 34:20.810]  They use the normal accounts.
[34:20.810 --> 34:22.630]  And they don't use the technician account.
[34:22.630 --> 34:25.150]  Only for configuration and when something gets wrong.
[34:25.150 --> 34:28.610]  So you can connect and take over only the technician account.
[34:28.610 --> 34:31.130]  And it will work silently and no one will know.
[34:31.750 --> 34:42.210]  The second scenario is where you can control any arbitrary HDL user without an email.
[34:42.210 --> 34:43.490]  And now we can do it.
[34:43.490 --> 34:45.530]  For example, you know the company name.
[34:45.530 --> 34:48.330]  You know the phone name of the victim.
[34:48.430 --> 34:52.290]  You know its full name, in a sense, or something like that.
[34:52.290 --> 34:57.030]  So you can scrape through the HDL database and find its account, find its email.
[34:57.030 --> 35:04.770]  And then go back to the first scenario and hack its user by any of these possibilities.
[35:05.790 --> 35:07.650]  Okay, really, really cool.
[35:07.650 --> 35:10.810]  So we can hack any HDL user in the entire world.
[35:10.810 --> 35:15.050]  Let's now go through the security implications to conclude what I've been talking about.
[35:15.050 --> 35:18.230]  So let's start with the easygoing security implications.
[35:18.230 --> 35:21.390]  Not to frighten all the people so much.
[35:21.390 --> 35:25.170]  So the first security implications are the private data leaks, of course.
[35:25.170 --> 35:30.790]  Hash passwords, emails, phone numbers, company names, names in general.
[35:32.730 --> 35:36.550]  Tremendous amount of data.
[35:36.610 --> 35:41.270]  And also the HDL cloud backup configuration is there, which gives us the following.
[35:41.270 --> 35:43.350]  The full smart devices info.
[35:43.350 --> 35:45.530]  And the full smart devices info is amazing.
[35:45.530 --> 35:50.050]  What you see here, what you can observe here, is exactly from the app.
[35:50.550 --> 35:57.750]  You can see that this app can control cameras, TVs, security sensors in other manners,
[35:57.750 --> 36:01.750]  and air conditioners also in the server rooms as well.
[36:02.650 --> 36:08.110]  Internal network IPs can be exposed using these systems as well, firmware versions.
[36:08.110 --> 36:13.010]  Internal network IPs are because they are written inside of the configuration, some of them.
[36:13.010 --> 36:17.970]  And you can actually use some of them to observe and see where are the HDL devices,
[36:18.430 --> 36:21.010]  IPs, and some of them kind of in the sense.
[36:22.190 --> 36:23.630]  And very cool.
[36:23.630 --> 36:25.410]  And also the remote control.
[36:25.490 --> 36:29.770]  So you can actually, again, of course, remote control over these things.
[36:29.930 --> 36:34.630]  And you can adjust, well, as I said before, the air conditioner in the server room.
[36:34.630 --> 36:37.350]  You can make it up to 50 Celsius.
[36:37.750 --> 36:42.730]  I don't think they actually support it, but 35, something like that for a week,
[36:42.730 --> 36:45.670]  would probably destroy the server room, I guess.
[36:45.670 --> 36:48.310]  And also to watch their IP cameras.
[36:48.850 --> 36:50.310]  So it can be really, really bad.
[36:50.310 --> 36:51.910]  Disable some sensors.
[36:53.350 --> 36:56.190]  Now, I'm sorry for that in advance.
[36:56.190 --> 36:59.670]  This is kind of a pure evil, pure evil ideas.
[36:59.670 --> 37:05.070]  But we need to discuss them because we need to understand and realize that the security
[37:05.070 --> 37:10.510]  implications, even if I don't have a full RCE over any kind of device,
[37:10.510 --> 37:17.930]  there are tremendous and high impact and costly impacts over the organizations as well
[37:17.930 --> 37:19.290]  that can be done.
[37:19.290 --> 37:23.430]  And the first one is, well, you can add internal non-exposed IP address.
[37:23.430 --> 37:27.590]  Sometimes they are hiding the gateways that control other systems.
[37:27.590 --> 37:32.170]  For example, hidden security areas, hidden secure rooms and stuff like that.
[37:32.170 --> 37:36.370]  You can actually expose them because there is an auto search functionality in the app.
[37:36.370 --> 37:42.990]  Another thing you can do is you can encrypt all the configurations, remove all the configurations
[37:43.700 --> 37:45.670]  from the AGL app.
[37:46.010 --> 37:51.250]  And some people can do kind of a ransomware and blackmail the companies.
[37:51.250 --> 37:57.050]  And until they won't do it, you won't give them back their possibility to control their
[37:57.050 --> 38:00.750]  system, to control their lights, to control their powers, their RCEs.
[38:00.750 --> 38:06.110]  This can really shut down a company in the logistics, in the industry manner.
[38:07.510 --> 38:09.110]  Logistics manner a lot.
[38:09.210 --> 38:13.010]  Another thing is to use a conditional to affect critical locations.
[38:13.410 --> 38:19.270]  And also something I really love, which is called an hidden trigger attack.
[38:19.270 --> 38:20.570]  What is a hidden trigger attack?
[38:20.570 --> 38:24.750]  So let's, for example, say that we are not in the Wi-Fi.
[38:24.750 --> 38:26.570]  We are not in a local connection.
[38:26.690 --> 38:28.870]  OK, you are smart guys.
[38:28.870 --> 38:31.270]  You block all the remote connections.
[38:31.270 --> 38:33.410]  You keep only the local connections.
[38:33.410 --> 38:37.710]  But remember, the configuration is still on the AGL cloud servers.
[38:37.710 --> 38:42.310]  So when the user will update, and it will update its configuration sometimes, you can
[38:42.310 --> 38:47.770]  actually connect the button, for example, switch on the lights to the button that's
[38:47.770 --> 38:56.270]  also switch and adjust the air conditioner to 35 degrees, 35 Celsius degrees.
[38:56.270 --> 38:59.950]  So you can connect two buttons, for example, to the same button.
[38:59.950 --> 39:03.190]  So the user just opens up the light.
[39:03.210 --> 39:05.770]  But he actually did a lot of other stuff as well.
[39:05.770 --> 39:08.210]  Disabled sensors and did a lot of other things.
[39:08.210 --> 39:12.250]  And for this attack, you don't even need the remote mode connection.
[39:12.250 --> 39:16.830]  Even in the local mode, it can really affect the users in the organization.
[39:16.830 --> 39:21.170]  Because the configuration is still on the AGL cloud backup database.
[39:21.170 --> 39:25.530]  The AGL cloud servers are really affecting the organization as a bottleneck.
[39:26.110 --> 39:29.930]  Also, another thing you can do, you can disable and control other critical sensors.
[39:30.490 --> 39:32.230]  You can disable security cameras.
[39:32.230 --> 39:39.570]  You can disable sensors for overheating, security alerts, and also you name it.
[39:40.970 --> 39:42.650]  Well, this is another idea.
[39:42.650 --> 39:45.170]  This is not a direct security issue.
[39:45.170 --> 39:49.710]  But this is another idea I had in mind, which is exploiting the internal network.
[39:49.750 --> 39:53.310]  For example, I can change a cloud configuration file to a malicious one.
[39:53.310 --> 39:56.970]  Maybe something that does something on the device.
[39:56.970 --> 40:02.010]  Maybe I can exploit the device when they update the configuration file on the device.
[40:02.050 --> 40:03.290]  It can be really interesting.
[40:03.290 --> 40:05.930]  It can be ideas for further research and stuff like that.
[40:05.970 --> 40:07.230]  So this is really cool.
[40:07.230 --> 40:13.770]  And it increased the attack surface to the internal network and to the organization as well.
[40:14.550 --> 40:15.090]  Cool.
[40:15.090 --> 40:16.970]  So we are coming to conclusion.
[40:17.270 --> 40:22.590]  And some of the ideas to continue is, of course, to find a way from the account takeover
[40:23.190 --> 40:26.750]  to getting into the internal network of the organization.
[40:26.750 --> 40:27.790]  Can it be done?
[40:27.790 --> 40:29.190]  How it can be done?
[40:29.190 --> 40:30.770]  Taking over the device.
[40:30.770 --> 40:32.770]  Taking over something like something else.
[40:32.770 --> 40:38.090]  Maybe taking advantage of the way they control the smart home devices in the network.
[40:38.090 --> 40:38.610]  I don't know.
[40:38.610 --> 40:39.710]  You name it.
[40:40.210 --> 40:45.150]  And another thing is to access from the LAN and the Wi-Fi access.
[40:45.150 --> 40:48.130]  For example, I have already Wi-Fi and LAN access.
[40:48.130 --> 40:52.070]  To find an RC over one of the smart devices platform.
[40:52.150 --> 40:55.850]  Specifically, of course, the IP adapter.
[40:55.850 --> 41:00.810]  The IP serial adapter of the HDL gateway devices, which is really cool also.
[41:01.370 --> 41:04.810]  And yes, so many amazing ideas can be done.
[41:05.010 --> 41:06.550]  It can be amazing.
[41:06.550 --> 41:11.290]  I had so much fun working for this project.
[41:11.370 --> 41:12.970]  And I come really to conclusion.
[41:12.970 --> 41:19.470]  I want to thank anyone, starting from the HDL automation company, for fast fix and
[41:19.470 --> 41:22.430]  coordinated disclosure of all the vulnerabilities.
[41:22.430 --> 41:24.030]  HDL automation, you are really great.
[41:24.030 --> 41:26.190]  And I love working with you guys.
[41:26.450 --> 41:34.170]  The second thing is that I wanted to really thank Ofer Peleg, which is the HDL Israel
[41:34.170 --> 41:38.190]  representative, for supporting me along the way and helping me fixing this.
[41:38.190 --> 41:41.150]  He was also an amazing guy.
[41:41.790 --> 41:47.110]  And well, of course, thank you to my family for letting me break in their house.
[41:47.190 --> 41:48.610]  But only one time.
[41:48.610 --> 41:49.650]  Only one time.
[41:49.650 --> 41:52.490]  Hopefully not on the second time, but we'll see about that.
[41:52.490 --> 41:56.950]  And of course, and of course, I'm really thankful for Sentinel One.
[41:56.950 --> 42:00.750]  Sentinel One, thank you for sponsoring and supporting my research.
[42:02.030 --> 42:03.470]  Thank you so much.
[42:04.250 --> 42:06.550]  And well, I think this is it.
[42:06.550 --> 42:09.430]  We are coming to reach to a live questions and answers.
[42:09.430 --> 42:16.590]  So if you want to, if you have any questions about my lecture, or if you want to read my
[42:16.590 --> 42:17.510]  full blog.
[42:17.510 --> 42:23.030]  So first, I wanted to know that my full blog and my full research will be published right
[42:23.030 --> 42:25.770]  now as we speak in the Sentinel Labs blog.
[42:25.770 --> 42:30.930]  So make sure you follow Sentinel Labs and go to the Sentinel Labs website in Sentinel
[42:30.930 --> 42:31.730]  One.
[42:31.750 --> 42:37.090]  And there is my full research with a lot of other code sections and stuff like this.
[42:37.090 --> 42:43.490]  And from now on, I will go to the questions and answers in the Discord channel in DEF CON for
[42:43.490 --> 42:44.690]  more questions and answers.
[42:44.690 --> 42:47.570]  And I'll be happy to answer any questions you have in mind.
[42:47.850 --> 42:49.490]  And thank you all for listening.
[42:49.490 --> 42:52.430]  Thank you all for coming here.
[42:52.430 --> 42:56.910]  And I hope to see you soon in DEF CON in another, even non-Corona events.
[42:56.910 --> 42:59.050]  We can see face to face also.
[42:59.050 --> 43:00.390]  So thank you very much.
